Security Controls Types - CompTIA Security+ SY0-701 - 1.1

Security Controls Types - CompTIA Security+ SY0-701 - 1.1

In this Section, we’ll look at a number of different control types and determine where we would fit certain control types into certain categories.

Preventive control type

The first control type we’ll look at is a preventive control type. This is a control type that limits someone access to a particular resource. You can think of this as something like a firewall rule, which would prevent somebody from gaining access to a particular area of your network. Or it may be something that’s more tangible, such as a guard shack checking everyone’s identification as they come into your facility. A good way to test yourself with these different control types is to determine what category will a certain type fit into.

1. So when we deal with preventive control types, we can look at firewall rules. And since those are handled at a technical level, then those would fit into the technical category.
2. As we hire people, we may want to set a certain type of policy for onboarding. And those would be policies set as part of a managerial category.
3. We’ve already mentioned a guard shack checking everyone’s identification. And since that’s done by a person, we can fit that into an operational category.
4. And lastly, we have door locks, which are physical devices preventing access to a room. So that would fit into the physical category.

Deterrent control type

Another important control type is a deterrent. And although a deterrent may not prevent someone from accessing a resource, it may give them a discouragement or have them think twice about the attack that they’re planning. For example, when you start an application, there may be a splash screen that provides security information and restricts people who are not authorized from gaining access to that system. Or there might be the threat of a demotion or a dismissal if somebody gains access to data that they should not be accessing. There might also be a front reception desk greeting everyone who walks in or warning signs telling people that if they gain access to this facility that there would be consequences. These fit perfectly into our four categories.

1. A splash screen is a deterrent that fits into the technical category.
2. A demotion is a managerial category.
3. The reception desk fits into the operational category.
4. And the warning signs are a physical deterrent.

Detective control type

A detective control type can identify and, in some cases, warn us when a particular breach has occurred. This may not prevent access. But it would give us a warning and log information about that particular attack. An example of a detective control type may be a process of collecting, reviewing, and going through system logs. Or you may be reviewing log-in reports about who’s gained access to your systems. There might be someone patrolling the property, looking for cases where someone might have broken into your facility. And you might have motion detectors so that you’re automatically notified if something is moving in an area where normally there should be no motion.

1. The system logs that are detailing everything that’s going on in your systems would fit into the technical category.
2. Someone reviewing log-in reports every day or every week would fit into the managerial category.
3. Someone patrolling the property would be an operational category.
4. And then the motion detectors provide us with a physical category.

Corrective control type

If there is a notification that someone has breached a system or gained access into a certain area of your business, then you want to apply a corrective security control. A corrective security control is something that occurs after the event has been detected. This is sometimes able to reverse the impact of that particular event. Or you may be able to continue operating with your business with minimal downtime, thanks to these corrective controls. For example, if a computer has been infected with ransomware and it has encrypted everything on that system and made all of the data inaccessible, you can simply erase everything on that computer and restore it back to a known good system using your backups. You might also want to create policies so that if there are security issues or something unusual that you see happen, then those would be rolled up into an alert or some type of notification. And if you find that someone has jumped your fence or they’ve tried to get in through a door in your building, you may need to contact law enforcement to be able to correct that particular incident. And if something is caught on fire, you can grab a fire extinguisher and make sure that that fire doesn’t spread any further, thereby correcting that particular event. And as you might expect, those are four events that certainly fits into the four categories that we have.

1. For example, recovering from a backup would be a technical category.
2. Being able to have policies for reporting issues when they occur would be in the managerial category.
3. Contacting authorities for some type of legal issue would be an operational category.
4. And your fire extinguisher is a physical category.

Compensating control type

You might also find yourself in a situation where a security event has occurred, but you don’t have the resources or means to be able to reverse what that particular event has caused. In those cases, you may want to use a compensating control type, which provides you with using other means in a way to control that particular security event. This may be something you use on a temporary basis until you’re able to put together a plan to resolve the overall security incident. For example, you might have an application that is important for your organization. But the application developer has told you that they’ve identified a significant security vulnerability in that software. Since the application developer is going to provide you with a patch sometime in the future, you may want to set some type of firewall rule today that would prevent somebody from exploiting that particular vulnerability. Or this might be a case where you can separate different duties between different individuals and limit the scope of any type of security concern. Or you might have multiple security guards all working at the same time to make sure that no single security guard has complete access to everything in your environment. And if you lose power in your building, you might want to have a generator so that while you’re waiting for main power to be restored, you can compensate by turning on your generator. Those are our four different categories of a compensating control.

1. We have a technical category of blocking that traffic instead of patching the application.
2. There may be a separation of duties for the people that work in your organization. And that fits into the managerial category.
3. You might require multiple security staff working simultaneously. And that would be the operational category.
4. And lastly, having a power generator to compensate for a power outage fits into the physical category.

Directive control type

The last control type we’ll look at is a directive control type. This is a relatively weak security control because it is one where you are directing someone to do something more secure rather than less secure. For example, you may require everyone to store sensitive information into a protected and encrypted folder on their system. This requires the user to make a decision about what data may be sensitive and what data may be nonsensitive. And then they are directed to store the sensitive information in the protected folder. As part of our security policies, we may want to add compliance policies and procedures so that everyone understands the proper processes to use for security in your environment. You might also train users on what the proper security policies might be. And another example of a directive control may be a sign that you put on a door that says “authorized personnel only.” There might not be a lock on the door. But the sign saying “authorized personnel only” directs people to either enter or not enter that particular door.

1. So to summarize these, our file storage policies will direct people to this technical category.
2. A compliance policy fits into a managerial category.
3. Someone performing a security policy training course would be a directive control type fitting into the operational category.
4. And a sign on a door that says “authorized personnel only” fits into the physical category.